AVG Shows My Computer Has a a couple win32 Cryptors on it

View previous topic View next topic Go down

AVG Shows My Computer Has a a couple win32 Cryptors on it

Post by D3ATHBM on 31st March 2009, 9:32 pm

Well i Scanned My Whole Comp With AVG Today And its Found Win32 Cryptors on it But There Is a Story Behind it See i Have a Guy To Fix My Comp And i Sent it To Him To Do a Systems Wipe Well When i Get My Comp Back it Looks Every Thing is Off Of it As Expected and He Even Threw in a Copy of Microsoft office 07 But When i Got on The Internet And Clicked on Links it would jump or redirect me to a Random Site So i Did a Virus Check With Avg And Found 96 Viruses on it Wow i know right Well Avg Healed 73 Of Them Leaving Me With 23 the Main ones that Are Showing up in Avg Virus log is Win32 Cryptor and i would like to See if Some one Could Help Me Remove it Please And i Also have a Question to Have Your Comp Wiped Doesn't That Mean Every Thing Should Be off Right it All Should Be Fresh So There Shouldnt Be Viruses on it Right???

HERE IS MY HiJack This Logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:22 PM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\User\reader_s.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\ATTToolbar\FDServer.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\DOCUME~1\User\LOCALS~1\Temp\541538446.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: C:\WINDOWS\system32\nhser43uhjnefr.dll - {c2ba40a2-74f3-42bd-f434-2604812c8954} - C:\WINDOWS\system32\nhser43uhjnefr.dll
O2 - BHO: (no name) - {f3b60e57-c3fe-49ea-a139-30fe2882649e} - C:\WINDOWS\system32\bootvi.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Yjoxax] rundll32.exe "C:\WINDOWS\ovihayeridasib.dll",e
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [] C:\DOCUME~1\User\LOCALS~1\Temp\fb46qf63v2.exe
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [Windows Resurections] C:\DOCUME~1\User\LOCALS~1\Temp\fb46qf63v2.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\User\LOCALS~1\Temp\541538446.exe
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-0162154242-0905687065-294024240-3343\service.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\User\reader_s.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N66P] C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: winctrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O22 - SharedTaskScheduler: kjm6t5rinmhp8o87t7r6gh - {C2BA40A2-74F3-42BD-F434-2604812C8954} - C:\WINDOWS\system32\nhser43uhjnefr.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6597 bytes

D3ATHBM
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-03-31
OS OS : XP
Points Points : 28113
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AVG Shows My Computer Has a a couple win32 Cryptors on it

Post by Belahzur on 31st March 2009, 9:35 pm

Hello.
Game over already, time to do another wipe.

You have picked up Virut. A file infecter, that's why AVG has picked up so many files, because all your system files have taken the damage, and cannot be fixed.

See here:
[You must be registered and logged in to see this link.]


Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: AVG Shows My Computer Has a a couple win32 Cryptors on it

Post by D3ATHBM on 31st March 2009, 9:46 pm

Wow That Sucks To Know And At This Point i The Person Was originally Supposed To Wipe it None of This Is Supposed To Be on Here if My Comp Was Supposedly Wiped and originally Did Not have none of This on It Before i Gave it To Him

And Yes i Would Like For u To Attempt To Clean My Machine But how Would u Go About Doing it And Is There a Price Money Wise on u Doing This For Me


Last edited by D3ATHBM on 31st March 2009, 10:52 pm; edited 1 time in total

D3ATHBM
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-03-31
OS OS : XP
Points Points : 28113
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AVG Shows My Computer Has a a couple win32 Cryptors on it

Post by Belahzur on 31st March 2009, 9:50 pm

Sorry, but there is no way of fixing this. Virut infects EVERY EXE and SCR file on the machine.

It would be much easier to wipe it yourself, that way it's controlled. Who knows what the guy AFTER formatting it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum